buffer overflow in srm_env_write?!
Heid Oliver
oliver.heid at siemens.com
Fri Mar 11 12:23:28 UTC 2005
Shouldn't
if (copy_from_user(buf, buffer, count))
goto out;
buf[count] = '\0';
ret1 = callback_setenv(entry->id, buf, count);
read
buf[count-1] = '\0';
^^^^^^^
in srm_env_write() in srm_env.c?! When I change SRM variables via
/proc/srm_environment, a trailing linefeed 0x0a is written into the
variable, which it is not when changing the variable via the SRM graphical
console itself. The above code change overwrites the linefeed with 0x0.
Oliver
More information about the axp-list
mailing list